[CentOS] netflow colelction and analysis

Timo Schoeler timo.schoeler at riscworks.net
Sun Dec 6 22:48:45 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

thus Alan McKay spake:
> On Sun, Dec 6, 2009 at 4:39 PM, Joseph L. Casale
> <JCasale at activenetwerx.com> wrote:
>> Anyone got a reco on a package that can collect netflow data and accept user defined queries
>> for specific data, like what an ip did every hour for some said interval?
> 
> well, collecting is pretty easy of course - tcpdump.
> And you can load the files into wireshark to query.
> 
> Though it is probably not just what you want.
> 
> In my  old job I set up a sniffer appliance which basically ran
> tcpdump on any interface except the main interface, and logged it all
> in circular log files of a certain size.  And the directory where
> these were kept were served out via the web server so that anyone
> could surf to the box and grab log files to look at.
> 
> You may also want to have a look at what ntop can do these days - it
> has been a few years since i've looked at it.
> 
> But of course this all assumes the traffic is visible to your CentOS
> box.  For my sniffer appliance the way to deploy it was that all the
> other NICs except the main one got plugged into a mirror port on the
> switch, which mirrored the particular PC we wanted to sniff.  In our
> case this was fine because we only monitored our product which was a
> VOIP appliance we were developing.
> 
> Alternately, running this on your router will pick up most of what you
> want - but obviously not local LAN traffic

Well, netflow is the appropriate technology for this:

http://en.wikipedia.org/wiki/Netflow

Unfortunately, I don't know a solution for the thread starters question
out of my head, so this was just for clarifying what we're talking
about... ;)

Timo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkscNM0ACgkQO/2mgkVVV7mcngCaA7oWyotXtnrTxHakYgPdy6Od
yQUAn0UHkw/1xgAqKLtyZST1y5TfigX0
=LzLT
-----END PGP SIGNATURE-----


More information about the CentOS mailing list